Results 1 to 7 of 7

Thread: GoDaddy Cert Problem

  1. #1
    Join Date
    May 2010
    Posts
    15
    Rep Power
    5

    Post GoDaddy Cert Problem

    Hello,

    I am attempting to install a GoDaddy cert with my (otherwise wonderful) Zimbra setup.


    First I am generating a csr and key with openssl -

    Code:
    [root@cloud3:~/certs ] #:openssl genrsa -des3 -out cloud3.key 2048
    Generating RSA private key, 2048 bit long modulus
    ...................................................................................+++
    .........+++
    e is 65537 (0x10001)
    Enter pass phrase for cloud3.key:
    6293:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:849:You must type in 4 to 8191 characters
    Enter pass phrase for cloud3.key:
    6293:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:849:You must type in 4 to 8191 characters
    Enter pass phrase for cloud3.key:
    Verifying - Enter pass phrase for cloud3.key:
    Code:
    [root@cloud3:~/certs ] #:openssl req -new -key cloud3.key -out cloud3.csr 
    Enter pass phrase for cloud3.key:
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:NJ
    Locality Name (eg, city) []:Summit
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:The Jiffy Cloud!
    Organizational Unit Name (eg, section) []:Zimbra
    Common Name (eg, YOUR name) []:cloud3.jiffycloud.com
    Email Address []:bluethundr@gmail.com
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    All pretty standard.

    Then I verify the cert with the appropirate zimbra command:

    Code:
    [root@cloud3:~/certs ] #:/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/cloud3.key ./cloud3.newdom.com.crt ./gd_bundle.crt
    ** Verifying ./cloud3.newdom.com.crt against /opt/zimbra/ssl/zimbra/commercial/cloud3.key
    Enter pass phrase for /opt/zimbra/ssl/zimbra/commercial/cloud3.key:
    Certificate (./cloud3.newdom.com.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/cloud3.key) match.
    Valid Certificate: ./cloud3.newdom.com.crt: OK

    But when I try to deploy the cert I get this error:

    Code:
    [root@cloud3:~/certs ] #:/opt/zimbra/bin/zmcertmgr deploycrt comm ./cloud3.newdom.crt ./gd_bundle.crt
    ** Verifying ./cloud3.newdom.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    XXXXX ERROR: Can't find private key  /opt/zimbra/ssl/zimbra/commercial/commercial.key  
    XXXXX ERROR: provided cert isn't valid.
    I made sure to key the cloud3.crt file with the CSR generated above.

    It appears to be looking for commercial.key when I need to be using cloud3.key

    Suggestions?

  2. #2
    Join Date
    Jun 2007
    Location
    Halmstad, Sweden
    Posts
    58
    Rep Power
    8

    Default

    Have a look at this wiki. It suggests a "Zimbra way" to generete the CSR.

    Administration Console and CLI Certificate Tools - Zimbra :: Wiki

  3. #3
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,374
    Rep Power
    11

    Default

    FWIW, we use GoDaddy certs a fair amount but frequently have problems.

    The "BFI" method we use is essentially to wipe everything, start fresh, and then use a blend of the commandline tools and the Admin Console. Doing this however requires some downtime.

    First, backup up your ssl directory!

    Then, get the system to a good clean state before doing the commercial ssl work:


    1. Using the commandline tools, regenerate and deploy a new Zimbra CA.
    2. Using the Admin Console, create and deploy a self-signed SSL cert.
    3. Confirm at this point that the system works OK, and then back up the ssl directory once again.
    4. Use the Admin Console to create a CSR for GoDaddy. One cert per server; domain wildcard and multi-server certs have for us never worked.
    5. Go back to the commandline to fetch the newly created CSR; too often the Admin Console functionality to display/retrieve the CSR we find doesn't work.
    6. Submit the CSR to Godaddy and get your ssl cert, plus the GoDaddy root and bundle certs.
    7. Use the Admin Console to deploy the certs, using the bundle cert as the Intermediate cert.


    Hope that helps,
    Mark

    P.S. ("BFI" = Brute Force and Ignorance...)

  4. #4
    Join Date
    May 2008
    Posts
    45
    Rep Power
    7

    Default

    We have found that GoDaddy certs rarely work from the Admin Console. The following are the steps that work reliably, root do the following:

    1) mkdir /root/certs and place the cert files in there

    2) cat gd_bundle.crt gd-class2-root.crt >> commercial_ca.crt

    2.1) cp /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/ssl/zimbra

    chmod 740 /opt/zimbra/ssl/zimbra/commercial.key

    3) verify the certificate
    cd /root/certs
    /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial.key ./commercial.crt ./commercial_ca.crt

    4) deploy the cert
    cd /root/certs
    /opt/zimbra/bin/zmcertmgr deploycrt comm ./commercial.crt ./commercial_ca.crt

    5) restart the zimbra services
    su - zimbra
    zmcontrol stop
    zmcontrol start

  5. #5
    Join Date
    Nov 2010
    Posts
    17
    Rep Power
    4

    Default

    I am trying to use a godaddy UCS cert. I dont have a gd-class2-root.crt file mine came with the following:
    gd_bundle.crt
    gd_cross_intermediate.crt
    gd_intermediate.crt
    mail.domain.com.crt

    Trying to use the directions above but not sure exactly what to do.

  6. #6
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

  7. #7
    Join Date
    Nov 2010
    Posts
    17
    Rep Power
    4

    Default

    Thanks I was able to get it working through the GUI by choosing gd_bundle.crt for the root, mail.domain.crt for the cert and gd_intermediate.crt for the intermediate. Bookmarked your link for the future though. Thanks!

Similar Threads

  1. Zimbra Hates GoDaddy
    By void in forum Administrators
    Replies: 18
    Last Post: 07-09-2009, 10:27 AM
  2. Problem installing Go Daddy, Inc. SSL Cert
    By alauppe in forum Administrators
    Replies: 1
    Last Post: 03-13-2009, 04:16 AM
  3. [SOLVED] GoDaddy certs on 5.0.6
    By ScottChapman in forum Administrators
    Replies: 34
    Last Post: 09-30-2008, 08:02 AM
  4. SSL Cert Questions
    By playnada in forum Administrators
    Replies: 3
    Last Post: 05-06-2008, 10:22 AM
  5. SSL Cert Problem using SOAP API
    By pbwebguy in forum Developers
    Replies: 1
    Last Post: 06-06-2006, 05:29 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •